npm - @bryan-thompson/inspector-assessment - Versions diffs - 1.36.5 → 1.38.0 - Mend

@bryan-thompson/inspector-assessment 1.36.5 → 1.38.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (104) hide show

package/client/lib/lib/securityPatterns/validationPatterns.js ADDED Viewed

@@ -0,0 +1,110 @@
+/**
+ * Input Validation and Protocol Compliance Patterns
+ *
+ * Tests for input validation and MCP protocol compliance.
+ * Includes: Type Safety, Boundary Testing, Required Fields,
+ * MCP Error Format, Timeout Handling
+ */
+/**
+ * Input validation and protocol compliance patterns (5 patterns)
+ */
+export const VALIDATION_PATTERNS = [
+    // 7. TYPE SAFETY
+    {
+        attackName: "Type Safety",
+        description: "Test if tool validates parameter types correctly",
+        payloads: [
+            {
+                payload: "not_a_number",
+                evidence: /(type.*error|invalid.*type|expected.*number|cannot.*convert)/i,
+                riskLevel: "MEDIUM",
+                description: "String instead of number",
+                payloadType: "validation",
+            },
+            {
+                payload: "999999999999999",
+                evidence: /(overflow|out.*of.*range|exceeds.*maximum|number.*too.*large)/i,
+                riskLevel: "MEDIUM",
+                description: "Numeric overflow",
+                payloadType: "validation",
+            },
+            {
+                payload: "true",
+                evidence: /(type.*error|invalid.*type|expected.*string|cannot.*convert)/i,
+                riskLevel: "LOW",
+                description: "Boolean instead of string",
+                payloadType: "validation",
+            },
+        ],
+    },
+    // 8. BOUNDARY TESTING
+    {
+        attackName: "Boundary Testing",
+        description: "Test edge cases and boundary conditions",
+        payloads: [
+            {
+                payload: "",
+                evidence: /(empty.*not.*allowed|required|cannot.*be.*empty|must.*not.*be.*empty)/i,
+                riskLevel: "LOW",
+                description: "Empty string validation",
+                payloadType: "validation",
+            },
+            {
+                payload: "A".repeat(10000),
+                evidence: /(too.*long|exceeds.*length|maximum.*length|length.*limit)/i,
+                riskLevel: "MEDIUM",
+                description: "Maximum length validation",
+                payloadType: "validation",
+            },
+            {
+                payload: "-1",
+                evidence: /(negative.*not.*allowed|must.*be.*positive|invalid.*value)/i,
+                riskLevel: "LOW",
+                description: "Negative number validation",
+                payloadType: "validation",
+            },
+        ],
+    },
+    // 9. REQUIRED FIELDS
+    {
+        attackName: "Required Fields",
+        description: "Test if tool validates required parameters",
+        payloads: [
+            {
+                payload: "MISSING_REQUIRED",
+                evidence: /(required|missing.*parameter|field.*required|parameter.*required)/i,
+                riskLevel: "MEDIUM",
+                description: "Missing required fields",
+                payloadType: "validation",
+            },
+        ],
+    },
+    // 10. MCP ERROR FORMAT
+    {
+        attackName: "MCP Error Format",
+        description: "Verify errors follow MCP protocol specification",
+        payloads: [
+            {
+                payload: "INVALID_TRIGGER_ERROR",
+                evidence: /(isError|error|invalid|failed)/i,
+                riskLevel: "LOW",
+                description: "Error response compliance check",
+                payloadType: "protocol",
+            },
+        ],
+    },
+    // 11. TIMEOUT HANDLING
+    {
+        attackName: "Timeout Handling",
+        description: "Test if tool handles long operations gracefully",
+        payloads: [
+            {
+                payload: "SIMULATE_LONG_OPERATION",
+                evidence: /(timeout|timed.*out|exceeded.*time|operation.*timeout)/i,
+                riskLevel: "LOW",
+                description: "Operation timeout handling",
+                payloadType: "protocol",
+            },
+        ],
+    },
+];

package/client/lib/lib/securityPatterns.d.ts CHANGED Viewed

@@ -1,77 +1,26 @@
 /**
  * Backend API Security Patterns
- * Tests MCP server API security with 30 focused patterns
  *
- * Architecture: Attack-Type with Specific Payloads
- * - Critical Injection (6 patterns): Command, Calculator, SQL, Path Traversal, XXE, NoSQL
- * - Input Validation (3 patterns): Type Safety, Boundary Testing, Required Fields
- * - Protocol Compliance (2 patterns): MCP Error Format, Timeout Handling
- * - Tool-Specific Vulnerabilities (10 patterns):
- *   - Indirect Injection, Unicode Bypass, Nested Injection, Package Squatting
- *   - Data Exfiltration, Configuration Drift, Tool Shadowing
- *   - Tool Output Injection (Issue #103, Challenge #8)
- *   - Secret Leakage (Issue #103, Challenge #9)
- *   - Blacklist Bypass (Issue #103, Challenge #11)
- * - Resource Exhaustion (1 pattern): DoS/Resource Exhaustion
- * - Deserialization (1 pattern): Insecure Deserialization
- * - Token Theft (1 pattern): Authentication token leakage
- * - Permission Scope (1 pattern): Privilege escalation and scope bypass
- * - Auth Bypass (1 pattern): Fail-open authentication vulnerabilities (Issue #75)
- * - Cross-Tool State Bypass (1 pattern): Cross-tool privilege escalation via shared state (Issue #92)
- * - Chained Exploitation (1 pattern): Multi-tool chain execution attacks (Issue #93)
- * - Session Management (1 pattern): Session fixation, predictable tokens, no timeout (Issue #111)
+ * @deprecated This file has been modularized into focused modules for better maintainability.
+ * All exports are re-exported from the new `securityPatterns/` directory for backward compatibility.
  *
- * Scope: Backend API Security ONLY
- * - Tests structured data inputs to API endpoints
- * - Validates server-side security controls
- * - Tests MCP protocol compliance
- * - Tests tool-specific vulnerability patterns with parameter-aware payloads
+ * For new code, prefer importing from specific modules:
+ * - `@/lib/securityPatterns/types` - SecurityPayload, AttackPattern interfaces
+ * - `@/lib/securityPatterns/injectionPatterns` - Critical injection attacks
+ * - `@/lib/securityPatterns/validationPatterns` - Input validation and protocol
+ * - `@/lib/securityPatterns/toolSpecificPatterns` - Tool-specific vulnerabilities
+ * - `@/lib/securityPatterns/resourceExhaustionPatterns` - DoS and deserialization
+ * - `@/lib/securityPatterns/authSessionPatterns` - Auth and session management
+ * - `@/lib/securityPatterns/advancedExploitPatterns` - Advanced multi-step exploits
  *
- * Out of Scope: LLM Prompt Injection
- * - MCP servers are APIs that receive structured data, not prompts
- * - If a server uses an LLM internally, that's the LLM's responsibility
- * - We test the MCP API layer, not the LLM behavior layer
- */
-import { SecurityRiskLevel } from "./assessmentTypes.js";
-export interface SecurityPayload {
-    payload: string;
-    evidence: RegExp;
-    riskLevel: SecurityRiskLevel;
-    description: string;
-    payloadType: string;
-    parameterTypes?: string[];
-}
-export interface AttackPattern {
-    attackName: string;
-    description: string;
-    payloads: SecurityPayload[];
-}
-/**
- * ========================================
- * BACKEND API SECURITY PATTERNS
- * ========================================
+ * Or import everything from `@/lib/securityPatterns`:
+ * ```typescript
+ * import { SECURITY_ATTACK_PATTERNS, getPayloadsForAttack } from "../lib/securityPatterns.js";
+ * ```
  *
- * 30 focused patterns for MCP server API security
- */
-export declare const SECURITY_ATTACK_PATTERNS: AttackPattern[];
-/**
- * Get all payloads for an attack type
- */
-export declare function getPayloadsForAttack(attackName: string, limit?: number): SecurityPayload[];
-/**
- * Get all attack patterns (for testing all tools)
- */
-export declare function getAllAttackPatterns(): AttackPattern[];
-/**
- * Get pattern statistics
+ * See GitHub Issue #163 for details on this refactoring.
+ *
+ * @module securityPatterns
  */
-export declare function getPatternStatistics(): {
-    totalAttackTypes: number;
-    totalPayloads: number;
-    highRiskPayloads: number;
-    mediumRiskPayloads: number;
-    lowRiskPayloads: number;
-    payloadTypeBreakdown: Record<string, number>;
-    averagePayloadsPerAttack: number;
-};
+export * from "./securityPatterns/index.js";
 //# sourceMappingURL=securityPatterns.d.ts.map

package/client/lib/lib/securityPatterns.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"securityPatterns.d.ts","sourceRoot":"","sources":["../../src/lib/securityPatterns.ts"],"names":[],"mappings":"AAAA~~;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAiCG~~;AAEH,~~OAAO,EAAE,iBAAiB,EAAE,MAAM,mBAAmB,CAAC;AAEtD,MAAM,WAAW,eAAe;IAC9B,OAAO,EAAE,MAAM,CAAC;IAChB,QAAQ,EAAE,MAAM,CAAC;IACjB,SAAS,EAAE,iBAAiB,CAAC;IAC7B,WAAW,EAAE,MAAM,CAAC;IACpB,WAAW,EAAE,MAAM,CAAC;IACpB,~~cAAc,~~CAAC~~,~~EAAE,MAAM,EAAE,~~CAAC;CAC3B;AAED,MAAM,WAAW,aAAa;IAC5B,UAAU,EAAE,MAAM,CAAC;IACnB,WAAW,EAAE,MAAM,CAAC;IACpB,QAAQ,EAAE,eAAe,EAAE,CAAC;CAC7B;AAED;;;;;;GAMG;AACH,eAAO,MAAM,wBAAwB,EAAE,aAAa,EAoiEnD,CAAC;AAEF;;GAEG;AACH,wBAAgB,oBAAoB,CAClC,UAAU,EAAE,MAAM,EAClB,KAAK,CAAC,EAAE,MAAM,GACb,eAAe,EAAE,CAQnB;AAED;;GAEG;AACH,wBAAgB,oBAAoB,IAAI,aAAa,EAAE,CAEtD;AAED;;GAEG;AACH,wBAAgB,oBAAoB;;;;;;;;EA8BnC"}
1	+ {"version":3,"file":"securityPatterns.d.ts","sourceRoot":"","sources":["../../src/lib/securityPatterns.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;GAuBG;AAEH,cAAc,0BAA0B,CAAC"}